JD Wetherspoon has confirming it is investigating a data breach that has seen the personal details of over 650,000 customers stolen from a company database.
The pub chain confirmed that “very limited” credit and debit card information for around 100 people was taken as part of the attack in June but it could not be used for fraud. The theft of other personal information including names and emails was much more widespread.
The Information Commissioner’s Office (ICO) has been informed of the breach and is expected to investigate. The affected database had the names, dates of birth, email addresses and phone numbers of 656,723 customers.
A total of 100 people had their card data stolen, with those impacted by the breach being people who bought Wetherspoon vouchers online between January 2009 and August 2014.
Just the last four digits of payment cards were obtained in the incident as the rest of the digits were not stored in the Wetherspoon’s database, according to company chief executive John Hutson.
The card data was not encrypted as other details were not stored on the database. In a letter to customers, Mr Hutson apologised and advised customers remain careful and make sure they do not give out personal information to unknown parties.
Wetherspoon was hacked between June 15th and 17th on the pub’s old website, but the breach was only discovered this month. Wetherspoon's stated this was because the data was held by a third party that was responsible for hosting the site, which has since been replaced.
Mr Hutson explained that there was no evidence fraudulent activity took place using the hacked data, adding that the database did not hold any passwords.
“We have taken all necessary measures to make our website secure again following this attack. A forensic investigation into the breach is continuing,” he explained.
Information would have been placed on the database when customers signed up to receive the pub’s newsletter, registered with The Cloud to use Wi-Fi services or submitted a “contact us” form on the website.
The incident is another reminder of the risks that businesses face when they collect personal customer data, after TalkTalk suffered a severe hack last month when 156,959 customers had their personal details accessed.
Such significant data breaches are alerting more businesses and customers to the problems that can arise from not keeping their personal data secure, but there continues to be hacking incidents as criminals find increasingly sophisticated methods of infiltrating company networks.